Vulnerability Report: GO-2023-1578
- CVE-2023-0475, GHSA-jpxj-2jvg-6jv9
- Affects: github.com/hashicorp/go-getter/v2, github.com/hashicorp/go-getter
- Published: Feb 17, 2023
- Modified: May 20, 2024
HashiCorp go-getter is vulnerable to decompression bombs. This can lead to excessive memory consumption and denial-of-service attacks.
Affected Packages
-
PathGo VersionsSymbols
-
from v2.0.0 before v2.2.0
15 affected symbols
-
before v1.7.0
21 affected symbols
- Bzip2Decompressor.Decompress
- Client.ChecksumFromFile
- Client.Get
- FolderStorage.Get
- GCSGetter.Get
- GCSGetter.GetFile
- Get
- GetAny
- GetFile
- GzipDecompressor.Decompress
- HttpGetter.Get
- S3Getter.Get
- S3Getter.GetFile
- TarBzip2Decompressor.Decompress
- TarDecompressor.Decompress
- TarGzipDecompressor.Decompress
- TarXzDecompressor.Decompress
- TarZstdDecompressor.Decompress
- XzDecompressor.Decompress
- ZipDecompressor.Decompress
- ZstdDecompressor.Decompress
Aliases
References
- https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125
- https://github.com/hashicorp/go-getter/commit/0edab85348271c843782993345b07b1ac98912e6
- https://github.com/hashicorp/go-getter/commit/78e6721a2a76266718dc92c3c03c1571dffdefdc
- https://vuln.go.dev/ID/GO-2023-1578.json
Feedback
See anything missing or incorrect?
Suggest an edit to this report.